ContentSecurityPolicy
in package
Provides tools for working with the Content-Security-Policy header to help defeat XSS attacks.
Tags
Table of Contents
Constants
- DIRECTIVES_ALLOWING_SOURCE_LISTS = ['base-uri' => 'baseURI', 'child-src' => 'childSrc', 'connect-src' => 'connectSrc', 'default-src' => 'defaultSrc', 'font-src' => 'fontSrc', 'form-action' => 'formAction', 'frame-ancestors' => 'frameAncestors', 'frame-src' => 'frameSrc', 'img-src' => 'imageSrc', 'media-src' => 'mediaSrc', 'object-src' => 'objectSrc', 'plugin-types' => 'pluginTypes', 'script-src' => 'scriptSrc', 'style-src' => 'styleSrc', 'sandbox' => 'sandbox', 'manifest-src' => 'manifestSrc', 'script-src-elem' => 'scriptSrcElem', 'script-src-attr' => 'scriptSrcAttr', 'style-src-elem' => 'styleSrcElem', 'style-src-attr' => 'styleSrcAttr', 'worker-src' => 'workerSrc']
Properties
- $autoNonce : bool
- Replace nonce tags automatically?
- $baseURI : array<string, bool>|string|null
- The `base-uri` directive restricts the URLs that can be used to specify the document base URL.
- $childSrc : array<string, bool>|string
- The `child-src` directive governs the creation of nested browsing contexts as well as Worker execution contexts.
- $connectSrc : array<string, bool>|string
- The `connect-src` directive restricts which URLs the protected resource can load using script interfaces.
- $CSPEnabled : bool
- Whether Content Security Policy is being enforced.
- $defaultSrc : array<string, bool>|string|null
- The `default-src` directive sets a default source list for a number of directives.
- $directives : array<string, string>
- Map of CSP directives to this class's properties.
- $fontSrc : array<string, bool>|string
- The `font-src` directive restricts from where the protected resource can load fonts.
- $formAction : array<string, bool>|string
- The `form-action` directive restricts which URLs can be used as the action of HTML form elements.
- $frameAncestors : array<string, bool>|string
- The `frame-ancestors` directive indicates whether the user agent should allow embedding the resource using a `frame`, `iframe`, `object`, `embed` or `applet` element, or equivalent functionality in non-HTML resources.
- $frameSrc : array<string, bool>|string
- The `frame-src` directive restricts the URLs which may be loaded into child navigables.
- $imageSrc : array<string, bool>|string
- The `img-src` directive restricts from where the protected resource can load images.
- $manifestSrc : array<string, bool>|string
- The `manifest-src` directive restricts the URLs from which application manifests may be loaded.
- $mediaSrc : array<string, bool>|string
- The `media-src` directive restricts from where the protected resource can load video, audio, and associated text tracks.
- $nonces : array<int, string>
- Set of nonces generated.
- $objectSrc : array<string, bool>|string
- The `object-src` directive restricts from where the protected resource can load plugins.
- $pluginTypes : array<string, bool>|string
- The `plugin-types` directive restricts the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded.
- $reportOnly : bool
- Set to `true` to make all directives report-only instead of enforced.
- $reportOnlyHeaders : array<string, string>
- An array of header info to build that should only be reported.
- $reportTo : string|null
- The `report-to` directive specifies a named group in a Reporting API endpoint to which the user agent sends reports about policy violation.
- $reportURI : string|null
- The `report-uri` directive specifies a URL to which the user agent sends reports about policy violation.
- $sandbox : array<string, bool>|string
- The `sandbox` directive specifies an HTML sandbox policy that the user agent applies to the protected resource.
- $scriptNonce : string|null
- Nonce for script tags.
- $scriptNonceTag : string
- Nonce placeholder for script tags.
- $scriptSrc : array<string, bool>|string
- The `script-src` directive restricts which scripts the protected resource can execute.
- $scriptSrcAttr : array<string, bool>|string
- The `script-src-attr` directive applies to event handlers and, if present, it will override the `script-src` directive for relevant checks.
- $scriptSrcElem : array<string, bool>|string
- The `script-src-elem` directive applies to all script requests and script blocks.
- $styleNonce : string|null
- Nonce for style tags.
- $styleNonceTag : string
- Nonce placeholder for style tags.
- $styleSrc : array<string, bool>|string
- The `style-src` directive restricts which styles the user may applies to the protected resource.
- $styleSrcAttr : array<string, bool>|string
- The `style-src-attr` directive governs the behaviour of style attributes.
- $styleSrcElem : array<string, bool>|string
- The `style-src-elem` directive governs the behaviour of styles except for styles defined in inline attributes.
- $tempHeaders : array<string, string>
- An array of header info since we have to build ourselves before passing to a Response object.
- $upgradeInsecureRequests : bool
- Instructs user agents to rewrite URL schemes by changing HTTP to HTTPS.
- $validSources : array<int, string>
- Set of valid keyword-sources.
- $workerSrc : array<string, bool>|string
- The `worker-src` directive restricts the URLs which may be loaded as a `Worker`, `SharedWorker`, or `ServiceWorker`.
- $reportingEndpoints : array<string, string>
- Map of reporting endpoints to their URLs.
Methods
- __construct() : mixed
- Stores our default values from the Config file.
- addBaseURI() : $this
- Adds a new value to the `base-uri` directive.
- addChildSrc() : $this
- Adds a new value to the `child-src` directive.
- addConnectSrc() : $this
- Adds a new value to the `connect-src` directive.
- addFontSrc() : $this
- Adds a new value to the `font-src` directive.
- addFormAction() : $this
- Adds a new value to the `form-action` directive.
- addFrameAncestor() : $this
- Adds a new value to the `frame-ancestors` directive.
- addFrameSrc() : $this
- Adds a new value to the `frame-src` directive.
- addImageSrc() : $this
- Adds a new value to the `img-src` directive.
- addManifestSrc() : $this
- Adds a new value to the `manifest-src` directive.
- addMediaSrc() : $this
- Adds a new value to the `media-src` directive.
- addObjectSrc() : $this
- Adds a new value to the `object-src` directive.
- addPluginType() : $this
- Adds a new value to the `plugin-types` directive.
- addReportingEndpoints() : static
- Adds reporting endpoints to the `Reporting-Endpoints` header.
- addSandbox() : $this
- Adds a new value to the `sandbox` directive.
- addScriptSrc() : $this
- Adds a new value to the `script-src` directive.
- addScriptSrcAttr() : static
- Adds a new value to the `script-src-attr` directive.
- addScriptSrcElem() : static
- Adds a new value to the `script-src-elem` directive.
- addStyleSrc() : $this
- Adds a new value to the `style-src` directive.
- addStyleSrcAttr() : static
- Adds a new value to the `style-src-attr` directive.
- addStyleSrcElem() : static
- Adds a new value to the `style-src-elem` directive.
- addWorkerSrc() : static
- Adds a new value to the `worker-src` directive.
- clearDirective() : void
- enabled() : bool
- Whether Content Security Policy is being enforced.
- finalize() : void
- Compiles and sets the appropriate headers in the request.
- getScriptNonce() : string
- Get the nonce for the script tag.
- getStyleNonce() : string
- Get the nonce for the style tag.
- reportOnly() : $this
- If TRUE, nothing will be restricted. Instead all violations will be reported to the reportURI for monitoring. This is useful when you are just starting to implement the policy, and will help determine what errors need to be addressed before you turn on all filtering.
- setDefaultSrc() : $this
- Adds a new value to the `default-src` directive.
- setReportToEndpoint() : static
- Specifies a named group in a Reporting API endpoint to which the user agent sends reports about policy violation.
- setReportURI() : $this
- Specifies a URL where a browser will send reports when a content security policy is violated.
- upgradeInsecureRequests() : $this
- Sets whether the user agents should rewrite URL schemes, changing HTTP to HTTPS.
- addOption() : void
- DRY method to add an string or array to a class property.
- addToHeader() : void
- Adds a directive and its options to the appropriate header. The $values array might have options that are geared toward either the regular or the reportOnly header, since it's viable to have both simultaneously.
- buildHeaders() : void
- Based on the current state of the elements, will add the appropriate Content-Security-Policy and Content-Security-Policy-Report-Only headers with their values to the response object.
- generateNonces() : void
- Scans the body of the request message and replaces any nonce placeholders with actual nonces, that we'll then add to our headers.
Constants
DIRECTIVES_ALLOWING_SOURCE_LISTS
private
mixed
DIRECTIVES_ALLOWING_SOURCE_LISTS
= ['base-uri' => 'baseURI', 'child-src' => 'childSrc', 'connect-src' => 'connectSrc', 'default-src' => 'defaultSrc', 'font-src' => 'fontSrc', 'form-action' => 'formAction', 'frame-ancestors' => 'frameAncestors', 'frame-src' => 'frameSrc', 'img-src' => 'imageSrc', 'media-src' => 'mediaSrc', 'object-src' => 'objectSrc', 'plugin-types' => 'pluginTypes', 'script-src' => 'scriptSrc', 'style-src' => 'styleSrc', 'sandbox' => 'sandbox', 'manifest-src' => 'manifestSrc', 'script-src-elem' => 'scriptSrcElem', 'script-src-attr' => 'scriptSrcAttr', 'style-src-elem' => 'styleSrcElem', 'style-src-attr' => 'styleSrcAttr', 'worker-src' => 'workerSrc']
Properties
$autoNonce
Replace nonce tags automatically?
protected
bool
$autoNonce
= true
$baseURI
The `base-uri` directive restricts the URLs that can be used to specify the document base URL.
protected
array<string, bool>|string|null
$baseURI
= []
$childSrc
The `child-src` directive governs the creation of nested browsing contexts as well as Worker execution contexts.
protected
array<string, bool>|string
$childSrc
= []
$connectSrc
The `connect-src` directive restricts which URLs the protected resource can load using script interfaces.
protected
array<string, bool>|string
$connectSrc
= []
$CSPEnabled
Whether Content Security Policy is being enforced.
protected
bool
$CSPEnabled
= false
$defaultSrc
The `default-src` directive sets a default source list for a number of directives.
protected
array<string, bool>|string|null
$defaultSrc
= []
$directives
Map of CSP directives to this class's properties.
protected
array<string, string>
$directives
= [...self::DIRECTIVES_ALLOWING_SOURCE_LISTS, 'report-uri' => 'reportURI', 'report-to' => 'reportTo']
$fontSrc
The `font-src` directive restricts from where the protected resource can load fonts.
protected
array<string, bool>|string
$fontSrc
= []
$formAction
The `form-action` directive restricts which URLs can be used as the action of HTML form elements.
protected
array<string, bool>|string
$formAction
= []
$frameAncestors
The `frame-ancestors` directive indicates whether the user agent should allow embedding the resource using a `frame`, `iframe`, `object`, `embed` or `applet` element, or equivalent functionality in non-HTML resources.
protected
array<string, bool>|string
$frameAncestors
= []
$frameSrc
The `frame-src` directive restricts the URLs which may be loaded into child navigables.
protected
array<string, bool>|string
$frameSrc
= []
$imageSrc
The `img-src` directive restricts from where the protected resource can load images.
protected
array<string, bool>|string
$imageSrc
= []
$manifestSrc
The `manifest-src` directive restricts the URLs from which application manifests may be loaded.
protected
array<string, bool>|string
$manifestSrc
= []
$mediaSrc
The `media-src` directive restricts from where the protected resource can load video, audio, and associated text tracks.
protected
array<string, bool>|string
$mediaSrc
= []
$nonces
Set of nonces generated.
Never used.
protected
array<int, string>
$nonces
= []
$objectSrc
The `object-src` directive restricts from where the protected resource can load plugins.
protected
array<string, bool>|string
$objectSrc
= []
$pluginTypes
The `plugin-types` directive restricts the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded.
protected
array<string, bool>|string
$pluginTypes
= []
$reportOnly
Set to `true` to make all directives report-only instead of enforced.
protected
bool
$reportOnly
= false
$reportOnlyHeaders
An array of header info to build that should only be reported.
protected
array<string, string>
$reportOnlyHeaders
= []
$reportTo
The `report-to` directive specifies a named group in a Reporting API endpoint to which the user agent sends reports about policy violation.
protected
string|null
$reportTo
= null
$reportURI
The `report-uri` directive specifies a URL to which the user agent sends reports about policy violation.
protected
string|null
$reportURI
$sandbox
The `sandbox` directive specifies an HTML sandbox policy that the user agent applies to the protected resource.
protected
array<string, bool>|string
$sandbox
= []
$scriptNonce
Nonce for script tags.
protected
string|null
$scriptNonce
$scriptNonceTag
Nonce placeholder for script tags.
protected
string
$scriptNonceTag
= '{csp-script-nonce}'
$scriptSrc
The `script-src` directive restricts which scripts the protected resource can execute.
protected
array<string, bool>|string
$scriptSrc
= []
$scriptSrcAttr
The `script-src-attr` directive applies to event handlers and, if present, it will override the `script-src` directive for relevant checks.
protected
array<string, bool>|string
$scriptSrcAttr
= []
$scriptSrcElem
The `script-src-elem` directive applies to all script requests and script blocks.
protected
array<string, bool>|string
$scriptSrcElem
= []
$styleNonce
Nonce for style tags.
protected
string|null
$styleNonce
$styleNonceTag
Nonce placeholder for style tags.
protected
string
$styleNonceTag
= '{csp-style-nonce}'
$styleSrc
The `style-src` directive restricts which styles the user may applies to the protected resource.
protected
array<string, bool>|string
$styleSrc
= []
$styleSrcAttr
The `style-src-attr` directive governs the behaviour of style attributes.
protected
array<string, bool>|string
$styleSrcAttr
= []
$styleSrcElem
The `style-src-elem` directive governs the behaviour of styles except for styles defined in inline attributes.
protected
array<string, bool>|string
$styleSrcElem
= []
$tempHeaders
An array of header info since we have to build ourselves before passing to a Response object.
protected
array<string, string>
$tempHeaders
= []
$upgradeInsecureRequests
Instructs user agents to rewrite URL schemes by changing HTTP to HTTPS.
protected
bool
$upgradeInsecureRequests
= false
$validSources
Set of valid keyword-sources.
protected
array<int, string>
$validSources
= [
// CSP2 keywords
'self',
'none',
'unsafe-inline',
'unsafe-eval',
// CSP3 keywords
'strict-dynamic',
'unsafe-hashes',
'report-sample',
'unsafe-allow-redirects',
'wasm-unsafe-eval',
'trusted-types-eval',
'report-sha256',
'report-sha384',
'report-sha512',
]
Tags
$workerSrc
The `worker-src` directive restricts the URLs which may be loaded as a `Worker`, `SharedWorker`, or `ServiceWorker`.
protected
array<string, bool>|string
$workerSrc
= []
$reportingEndpoints
Map of reporting endpoints to their URLs.
private
array<string, string>
$reportingEndpoints
= []
Methods
__construct()
Stores our default values from the Config file.
public
__construct(ContentSecurityPolicy $config) : mixed
Parameters
- $config : ContentSecurityPolicy
addBaseURI()
Adds a new value to the `base-uri` directive.
public
addBaseURI(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
base-uri restricts the URLs that can appear in a page's
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddChildSrc()
Adds a new value to the `child-src` directive.
public
addChildSrc(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
child-src lists the URLs for workers and embedded frame contents.
For example: child-src https://youtube.com would enable embedding
videos from YouTube but not from other origins.
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddConnectSrc()
Adds a new value to the `connect-src` directive.
public
addConnectSrc(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
connect-src limits the origins to which you can connect
(via XHR, WebSockets, and EventSource).
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddFontSrc()
Adds a new value to the `font-src` directive.
public
addFontSrc(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
font-src specifies the origins that can serve web fonts.
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddFormAction()
Adds a new value to the `form-action` directive.
public
addFormAction(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddFrameAncestor()
Adds a new value to the `frame-ancestors` directive.
public
addFrameAncestor(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddFrameSrc()
Adds a new value to the `frame-src` directive.
public
addFrameSrc(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddImageSrc()
Adds a new value to the `img-src` directive.
public
addImageSrc(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddManifestSrc()
Adds a new value to the `manifest-src` directive.
public
addManifestSrc(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddMediaSrc()
Adds a new value to the `media-src` directive.
public
addMediaSrc(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddObjectSrc()
Adds a new value to the `object-src` directive.
public
addObjectSrc(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddPluginType()
Adds a new value to the `plugin-types` directive.
public
addPluginType(array<int, string>|string $mime[, bool|null $explicitReporting = null ]) : $this
Parameters
- $mime : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddReportingEndpoints()
Adds reporting endpoints to the `Reporting-Endpoints` header.
public
addReportingEndpoints(array<string, string> $endpoint) : static
Parameters
- $endpoint : array<string, string>
Return values
staticaddSandbox()
Adds a new value to the `sandbox` directive.
public
addSandbox(array<int, string>|string $flags[, bool|null $explicitReporting = null ]) : $this
Parameters
- $flags : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddScriptSrc()
Adds a new value to the `script-src` directive.
public
addScriptSrc(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddScriptSrcAttr()
Adds a new value to the `script-src-attr` directive.
public
addScriptSrcAttr(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : static
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
staticaddScriptSrcElem()
Adds a new value to the `script-src-elem` directive.
public
addScriptSrcElem(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : static
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
staticaddStyleSrc()
Adds a new value to the `style-src` directive.
public
addStyleSrc(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thisaddStyleSrcAttr()
Adds a new value to the `style-src-attr` directive.
public
addStyleSrcAttr(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : static
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
staticaddStyleSrcElem()
Adds a new value to the `style-src-elem` directive.
public
addStyleSrcElem(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : static
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
staticaddWorkerSrc()
Adds a new value to the `worker-src` directive.
public
addWorkerSrc(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : static
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
staticclearDirective()
public
clearDirective(string $directive) : void
Parameters
- $directive : string
enabled()
Whether Content Security Policy is being enforced.
public
enabled() : bool
Return values
boolfinalize()
Compiles and sets the appropriate headers in the request.
public
finalize(ResponseInterface $response) : void
Should be called just prior to sending the response to the user agent.
Parameters
- $response : ResponseInterface
getScriptNonce()
Get the nonce for the script tag.
public
getScriptNonce() : string
Return values
stringgetStyleNonce()
Get the nonce for the style tag.
public
getStyleNonce() : string
Return values
stringreportOnly()
If TRUE, nothing will be restricted. Instead all violations will be reported to the reportURI for monitoring. This is useful when you are just starting to implement the policy, and will help determine what errors need to be addressed before you turn on all filtering.
public
reportOnly([bool $value = true ]) : $this
Parameters
- $value : bool = true
Return values
$thissetDefaultSrc()
Adds a new value to the `default-src` directive.
public
setDefaultSrc(array<int, string>|string $uri[, bool|null $explicitReporting = null ]) : $this
default-src is the URI that is used for many of the settings when
no other source has been set.
Parameters
- $uri : array<int, string>|string
- $explicitReporting : bool|null = null
Tags
Return values
$thissetReportToEndpoint()
Specifies a named group in a Reporting API endpoint to which the user agent sends reports about policy violation.
public
setReportToEndpoint(string $endpoint) : static
Parameters
- $endpoint : string
-
The name of the reporting endpoint. Set
''if you want to remove this directive at runtime.
Tags
Return values
staticsetReportURI()
Specifies a URL where a browser will send reports when a content security policy is violated.
public
setReportURI(string $uri) : $this
Parameters
- $uri : string
-
URL to send reports. Set
''if you want to remove this directive at runtime.
Tags
Return values
$thisupgradeInsecureRequests()
Sets whether the user agents should rewrite URL schemes, changing HTTP to HTTPS.
public
upgradeInsecureRequests([bool $value = true ]) : $this
Parameters
- $value : bool = true
Return values
$thisaddOption()
DRY method to add an string or array to a class property.
protected
addOption(array<int, string>|string $options, string $target[, bool|null $explicitReporting = null ]) : void
Parameters
- $options : array<int, string>|string
- $target : string
- $explicitReporting : bool|null = null
addToHeader()
Adds a directive and its options to the appropriate header. The $values array might have options that are geared toward either the regular or the reportOnly header, since it's viable to have both simultaneously.
protected
addToHeader(string $name[, array<string, bool>|string $values = null ]) : void
Parameters
- $name : string
- $values : array<string, bool>|string = null
buildHeaders()
Based on the current state of the elements, will add the appropriate Content-Security-Policy and Content-Security-Policy-Report-Only headers with their values to the response object.
protected
buildHeaders(ResponseInterface $response) : void
Parameters
- $response : ResponseInterface
generateNonces()
Scans the body of the request message and replaces any nonce placeholders with actual nonces, that we'll then add to our headers.
protected
generateNonces(ResponseInterface $response) : void
Parameters
- $response : ResponseInterface